\subsection{Analysis I}
\begin{frame}
    \frametitle{The Target}
    \pgfimage[width=5cm]{images/analysis_I/virus_I_mugshot}
    \begin{block}{}
        \begin{itemize}
            \item SHA1: \emph{c9f10fa5135e3f10c1fb942d12bb8f267e4203d0}
            \item MD5: \emph{04c94ee7122a2844e12afe0928806fa0}
        \end{itemize}
    \end{block}
\end{frame}

\begin{frame}
    \frametitle{Is it Packed?}
    \begin{itemize}
        \item<+-> If so, generally there are no visible strings.
            \pedbullet{<+->\alert{Remember: Unicode strings have a non-occidental charset}}
        \item<+-> Most common imports will not be present
        \item<+-> Perhaps only \texttt{LoadLibrary} and \texttt{GetProcAddress}
        \item<+-> Recall that we can utilize statistical tests as an indicator
            \pedbullet{<+->A high entropy indicates a \emph{very-likely-to-be-compressesed} data section}
    \end{itemize}
\end{frame}
        
\begin{frame}[t]
    \frametitle{What is it Packed With?}
  \begin{columns}[T]
    \begin{column}{6cm}
      \begin{itemize}
        \item Can we guess the packer?
        \item Does \emph{PEiD} help?
        \item Does a hexeditor expose any clues?
      \end{itemize}
    \end{column}
    \begin{column}{6cm}
        \pgfimage<1->[width=5.6cm]{images/analysis_I/UPX_hexdump_scrambled_strings}%
    \end{column}
  \end{columns}
\end{frame}

\begin{frame}[t]
    \frametitle{First Look in IDA}
    \begin{block}{}
        Notice that opening the file in \emph{IDA} results in complaints about a missing import table. The navigation bar reveals very little code. What we see is the \emph{UPX} unpacking code with its typical start and finish.
    \end{block}
  \begin{center}
    \pgfimage<1>[width=10cm]{images/analysis_I/UPX_unpacker_code_start}
    \pgfimage<2>[width=10cm]{images/analysis_I/UPX_unpacker_code_end}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Bypassing UPX}
    \begin{itemize}
        \item<+-> Despite its simplicity, \emph{UPX} is very commonly used
        \item<+-> Set a breakpoint at the jump to the \emph{OEP} (\alert{not in the destination})
        \item<+-> Continue the process and let the unpacker do its work
        \item<+-> Once the breakpoint is hit we can step to the next instruction to find the unpacked code
    \end{itemize}
\end{frame}

\begin{frame}[t]
    \frametitle{OEP Before and After}
    \begin{center}
        \pgfimage<1>[height=6cm]{images/analysis_I/UPX_oep_not_unpacked}
        \pgfimage<2>[height=6cm]{images/analysis_I/UPX_oep_unpacked}
    \end{center}
\end{frame}

\begin{frame}
    \frametitle{Dumping the Image}
    \begin{itemize}
        \item<+-> We need to save the unpacked image to disk for analysis
        \item<+-> The \emph{OllyDump} plugin can do this for us
        \item<+-> \emph{OllyDump} can also rebuild the \emph{IAT}
        \item<+-> \emph{ProcDump} and \emph{ImpRec} are other tools for accomplishing the job
        \item<+-> Now we are ready to jump back to IDA
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Analysis}
    \begin{block}{}
        This executable has a range of interesting features and there are certain considerations to take into account during the analysis
    \end{block}
    \pause
    \begin{itemize}
        \item<+-> A good amount of code is not properly recognized, we will need to manually define it
        \item<+-> Function ends are often not found properly, we must manually fix these
        \item<+-> There will be tables of pointers interleaved within the code, these are \emph{Delphi}'s structures
        \item<+-> \emph{IDA} might not recognize library functions, therefore we might need to spot these manually
        \item<+-> A good approach is to linearly scan the binary (if it's not too large)
    \end{itemize}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Exploring the Binary}
    One of the first functions, called (at \emph{40F37Bh}) is interesting.\\
    We can get to it in two ways. One is exploring from the beginning of the binary and the second is by following backwards references like the following
        \begin{block}{}
            \begin{semiverbatim}
\uncover{.UPX0:0040AC62 11AC        mov     eax, ds:off_412828}
\uncover{.UPX0:0040AC67 11AC        mov     eax, [eax]}
\uncover{.UPX0:0040AC69 11AC        call    eax}
            \end{semiverbatim}
        \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Exploring the Binary}
        \begin{block}{}
            \begin{semiverbatim}
\uncover{.UPX0:0040AC62 11AC        mov     eax, ds:off_412828}
\uncover{.UPX0:0040AC67 11AC        mov     eax, [eax]}
\uncover{.UPX0:0040AC69 11AC        call    eax}
            \end{semiverbatim}
        \end{block}

        \begin{itemize}
            \item<2->{Following the offset \emph{off\_412828} we will find ourselves at \emph{413D44h}. This address has two references and is actually written to by one of them (\emph{DATA XREF: sub\_406764+288})\\}
            \item<3->{Inspecting the reference we see this and other addresses are being written to, all of which are called\\}
            \item<4->{Hence we have more imports to fix. This time the program seems to be using a hash based approach, where it's difficult to tell the import from the value fed}
        \end{itemize}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Resolving the Imports}
    If we trace the function with \emph{OllyDbg} we can see that a good set of \emph{API} functions are imported
        \begin{block}{}
        \small
            \begin{semiverbatim}
.UPX0:004069E0 030         mov     [ebx], eax
.UPX0:004069E2 030         mov     eax, 0A7733ACDh
.UPX0:004069E7 030         call    resolve_import
.UPX0:004069E7
.UPX0:004069EC 030         mov     ds:send, eax
.UPX0:004069F1 030         mov     eax, 0A0F5FC93h
.UPX0:004069F6 030         call    resolve_import
.UPX0:004069F6
.UPX0:004069FB 030         mov     ds:WSAStartUp, eax
.UPX0:00406A00 030         mov     eax, 5E568BBh
.UPX0:00406A05 030         call    resolve_import
.UPX0:00406A05
.UPX0:00406A0A 030         mov     ds:socket, eax
            \end{semiverbatim}
        \end{block}
\end{frame}

\begin{frame}
    \frametitle{A Quick Glimpse of the Imports}
    \begin{itemize}
        \item Of special interest are the functions from the networking \emph{API}
        \item Combined with a look at the imports gives us dire forecast
        \item Further inspection reveals that this is indeed malicious
    \end{itemize}
  \begin{center}
    \pgfimage[height=3cm]{images/analysis_I/IDA_urldownloadtofile}
    \pgfimage[height=3cm]{images/analysis_I/IDA_winexec}
  \end{center}    
\end{frame}

\begin{frame}[fragile]
    \frametitle{Interesting Code Construct}
        \begin{block}{}
            \small
            \begin{semiverbatim}
.UPX0:00406086 000         mov     eax, eax
.UPX0:00406088 000         push    ebx
.UPX0:00406089 004         push    esi
.UPX0:0040608A 008         mov     esi, edx
.UPX0:0040608C 008         mov     ebx, eax
.UPX0:0040608E 008         push    esi
.UPX0:0040608F 00C         push    ebx
.UPX0:00406090 010         call    ds:__WSAFDIsSet
.UPX0:00406090
.UPX0:00406096 008         cmp     eax, 1
.UPX0:00406099 008         sbb     eax, eax
.UPX0:0040609B 008         inc     eax
.UPX0:0040609C 008         pop     esi
.UPX0:0040609D 004         pop     ebx
.UPX0:0040609E 000         retn
            \end{semiverbatim}
        \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Branchless Logic}
        \begin{block}{}
            \begin{semiverbatim}
                cmp     eax, 1
                sbb     eax, eax
                inc     eax
                pop     esi
                pop     ebx
                retn
            \end{semiverbatim}
        \end{block}
        \begin{itemize}
            \item<1-> \alert{cmp eax, 1} will set the carry flag (\alert{CF}) if \alert{eax} is 0
            \item<2-> \alert{sbb eax, eax} does \alert{eax = eax - (eax+CF)}
            \item<3-> Therefore if \alert{eax} was 0 we have \alert{eax = 0 - (0+1) = -1}
            \item<4-> Otherwise if \alert{eax} is greater than 0 we have \alert{eax = eax - eax+0 = 0}
            \item<5-> The increment will set the possible \alert{eax} values to 1 or 0
        \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Hotspots}
    Points of interest in the binary are
    \begin{itemize}
        \item Import resolution \emph{40F37Bh}
        \item Deobfuscation function \emph{406464h}
        \item \emph{NetBios} spreading \emph{409408h}
        \item Connect to \emph{Mydoom}'s backdoor \emph{409E50}
        \item Download and execute \emph{40AE30h}
        \item Build system info summary \emph{40BA14h}
        \item Handle \emph{IRC} commands \emph{40C330h}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Target Revealed}
  \begin{columns}[c]
    \begin{column}{5.2cm}
        \pgfimage[width=5cm]{images/analysis_I/virus_I_mugshot}
    \end{column}
    \begin{column}{6.5cm}
        \begin{block}{}
            \begin{itemize}
                \item Kaskpersky: \emph{Backdoor.Win32.Gobot.w}
                \item McAfee: \emph{Exploit-Mydoom}
                \item Symantec: \emph{W32.Gobot.A} 
                \item Trend Micro: \emph{BKDR\_GOBOT.W}
            \end{itemize}
        \end{block}
    \end{column}
  \end{columns}

    \begin{block}{}
        \begin{itemize}
            \item SHA1: \emph{c9f10fa5135e3f10c1fb942d12bb8f267e4203d0}
            \item MD5: \emph{04c94ee7122a2844e12afe0928806fa0}
        \end{itemize}
    \end{block}
\end{frame}


\subsection{Analysis II}
\begin{frame}
    \frametitle{The Target}
    \pgfimage[width=5cm]{images/analysis_II/virus_II_mugshot}
    \begin{block}{}
        \begin{itemize}
            \item SHA1: \emph{f30ad924a0d35b13d2057b1bb6305ad5a8ac8fa2}
            \item MD5: \emph{0af7b122bb722fb679c97fdb8cf85d23}
        \end{itemize}
    \end{block}
\end{frame}

\begin{frame}
    \frametitle{Is it Packed?}
    \begin{itemize}
        \item<+-> If so, generally there are no visible strings.
            \pedbullet{<+->\alert{Remember: Unicode strings have a non-occidental charset}}
        \item<+-> Most common imports will not be present
        \item<+-> Perhaps only \texttt{LoadLibrary} and \texttt{GetProcAddress}
        \item<+-> Recall that we can utilize statistical tests as an indicator
            \pedbullet{<+->A high entropy indicates a \emph{very-likely-to-be-compressesed} data section}
    \end{itemize}
\end{frame}
        
\begin{frame}[t]
    \frametitle{What is it Packed With?}
  \begin{columns}[T]
    \begin{column}{6cm}
      \begin{itemize}
        \item Can we guess the packer?
        \item Does \emph{PEiD} help?
        \item Does a hexeditor expose any clues?
      \end{itemize}
    \end{column}
    \begin{column}{6cm}
        \pgfimage<2->[width=5.6cm]{images/analysis_II/UPX_hexdump_scrambled_strings}%
    \end{column}
  \end{columns}
\end{frame}

\begin{frame}
    \frametitle{First look in IDA (1)}
    Here we can see a basic obfuscation technique. Upon execution it will first go through an \emph{XOR} loop to reveal some additional code. Execution continues at the unveiled code
  \begin{center}
    \pgfimage[width=10cm]{images/analysis_II/IDA_1st_xor_loop}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{First look in IDA (2)}
    This is the result after the deobfuscation is finished
  \begin{center}
    \pgfimage[width=8cm]{images/analysis_II/IDA_1st_xor_loop_after}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Lack of imports}
    We can now follow the newly available code in \emph{IDA}.
    We soon realize that there's not much we can tell as there are no imported symbols available
  \begin{center}
    \pgfimage[width=8cm]{images/analysis_II/IDA_parite_code_no_imports}
  \end{center}
\end{frame}

\begin{frame}[t]
    \frametitle{\emph{OllyDbg} to the Rescue}
    \emph{OllyDbg} can help in this case.
    \begin{itemize}
        \item<2-> Tracing to the interesting locations, we can see where the addresses are actually pointing to
        \item<3-> The binary is resolving the imported symbols by itself
    \end{itemize}
  \begin{center}
    \pgfimage<2-2>[width=11cm]{images/analysis_II/OllyDBG_00_calling_loadlibrary}
    \pgfimage<3-3>[width=10cm]{images/analysis_II/OllyDBG_01_resolving_imports}
    \pgfimage<4->[width=8cm]{images/analysis_II/OllyDBG_02_resolved_imports_in_the_stack}
  \end{center}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Resolving Imports}
    \begin{itemize}
        \item Two functions are used \emph{LoadLibrary} and \emph{GetProcAddress}
    \end{itemize}
    \begin{block}{}
    \begin{semiverbatim}
HMODULE WINAPI LoadLibrary
(
    LPCTSTR lpFileName
);

FARPROC WINAPI GetProcAddress
(
    HMODULE hModule, LPCSTR lpProcName
);
    \end{semiverbatim}
    \end{block}
\end{frame}

\begin{frame}
    \frametitle{Imports fixed...}
    \begin{itemize}
        \item The imported symbols appear mainly to relate to file access operations
        \item We can track the flow further in \emph{OllyDbg} and conveniently comment the \emph{API} call names in \emph{IDA} for later reference
        \item We can also locate the table of addresses and write a small script to do it for us. More on that later
        \item After some tracing it is possible to see that the file being executed is opened, seeked and then its contents written to disk after yet another \emph{XOR}'ing loop
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Main Deobfuscation Function}
  \begin{center}
    \pgfimage[height=6cm]{images/analysis_II/IDA_parite_body_xor_function}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Now What?}
    \begin{itemize}
        \item After the file is entirely dumped to disk, it is loaded as a \emph{DLL} (Typical \emph{LoadLibrary}, \emph{GetProcAddress}, \emph{call} sequence)
        \item If we take a look at the dumped file we can see that, yet again, it's packed. But this time it is a \emph{DLL}
        \item The unpacking code is in the \emph{DLLEntryPoint} (automatically called when doing invoking \emph{LoadLibrary})
        \item The main sample will resolve the \emph{Initiate} procedure and call it
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Dumping a DLL}
    \begin{itemize}
        \item<+-> If we want the unpacked contents of the binary we can use \emph{ProcDump} to dump the \emph{DLL} from memory
        \item<+-> Now we have the code but not the imports
            \pedbullet{And fixing the imports for a \emph{DLL} is not trivial}
    \end{itemize}
  \begin{center}
    \pgfimage[width=8cm]{images/analysis_II/ProcDump_dumping_the_dropped_and_loaded_dell}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Fixing Imports}
    \begin{itemize}
        \item<+-> If we followed all along with \emph{OllyDbg}, it is possible to find the imported \emph{API} calls becase \emph{UPX} did the work of resolving them for us when the \emph{DLL} was loaded
        \item<+-> We will track the execution to find the table of imported symbols
        \item<+-> We will then extract that info and use it in \emph{IDA}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Fixing Imports (1)}
    The execution is followed until the dropped \emph{DLL} is loaded and its \emph{Initiate} exported function called
  \begin{center}
    \pgfimage[width=10cm]{images/analysis_II/OllyDBG_03_calling_the_dlls_Initiate}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Fixing Imports (2)}
    \begin{itemize}
        \item We step into and try to find an instance where a call to an imported symbol is made
        \item \emph{OllyDbg} will indicate this by displaying a \emph{DLL.Function} name on the right side of the disassembly
    \end{itemize}
  \begin{center}
    \pgfimage[width=11cm]{images/analysis_II/OllyDBG_04_calling_a_dll_resolved_import}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Fixing Imports (3)}
    Following the jump we find what we wanted. The table with all the symbols!
  \begin{center}
    \pgfimage[width=10cm]{images/analysis_II/OllyDBG_05_the_dlls_table_of_imported_symbols}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Being Inventive (1)}
    \begin{itemize}
        \item<+-> Now that we have found all the imported symbols for the \emph{DLL}, we want to be able to port it over to our disassembly
        \item<+-> One possible approach is to use \emph{IDAPython} and some C\&P'ing
    \end{itemize}
\end{frame}
    
\begin{frame}
    \frametitle{Being Inventive (2)}
    \begin{itemize}
        \item<+-> Lets copy the entire list from \emph{OllyDbg} and paste it in a decent editor with regex substitution support
        \item<+-> Now some regex magic...
            \begin{block}{}
                \begin{center}
                    ([0-9ABCDEF]+).*jmp.*; (.*) \\
                    MakeName($\backslash$1, '$\backslash$2')
                \end{center}
            \end{block}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Being Inventive (3)}
    \begin{itemize}
        \item<+-> ...and turn it into something sexier
            \begin{block}{}
                MakeName(0x008E2DA0, 'advapi32.RegCloseKey')\\
                MakeName(0x008E2DA6, 'advapi32.RegCreateKeyExA')\\
                MakeName(0x008E2DAC, 'advapi32.RegFlushKey')\\
                MakeName(0x008E2DB2, 'advapi32.RegOpenKeyExA')\\
                ...
            \end{block}
        \item<+-> Copy the converted text into \emph{IDAPython}'s notepad and execute it
        \item<+-> Now, we will have all the names in our dumped \emph{DLL}
    \end{itemize}
\end{frame}


\begin{frame}
    \frametitle{Main Deobfuscation Function}
  \begin{center}
    \pgfimage[height=6cm]{images/analysis_II/IDA_parite_fixed_imports}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{Is That All?}
    \begin{itemize}
        \item<1-> You might think that the unpacking is now complete... unfortunately that's only partially true
        \item<2-> If we follow the flow further we will eventually find that it does not exit
        \item<3-> Instead we find ourselves in \emph{UPX} unpacking code...
        \item<4-> ... unpacking again?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Follow Up}
    \begin{itemize}
        \item \emph{UPX} is pretty simple to deal with
        \item We just move to the end of the unpacking code and look at the jump
        \item It's indeed \emph{UPX} and after the unpacking is done execution will continue within the binary
        \item If we breakboint the jump and let it unpack we can dump the new executable
    \end{itemize}
  \begin{center}
    \pgfimage[height=3.7cm]{images/analysis_II/IDA_UPX_jump_to_oep}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{The 2nd Unpacked Component}
    After some inspection it's possible to find that this new element is certainly malicious (as is the \emph{DLL})
  \begin{center}
    \pgfimage[height=3cm]{images/analysis_II/IDA_urldownloadtofile}
    \pgfimage[height=3cm]{images/analysis_II/IDA_winexec}
  \end{center}    
\end{frame}

\begin{frame}
    \frametitle{Final Outcome}
    \begin{itemize}
        \item \alert{What's the explanation?}
        \item The second sample is a Bot, specifically \emph{Backdoor.Win32.Gobot.w} or \emph{W32.Gobot.A}, depending on who you ask
        \item The first sample was \emph{Parite}
        \item \emph{Parite} is a polymorphic file infector and we just saw it in action
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Target Revealed}
  \begin{columns}[c]
    \begin{column}{5.2cm}
        \pgfimage[width=5cm]{images/analysis_II/virus_II_mugshot}
    \end{column}
    \begin{column}{6.5cm}
        \begin{block}{}
            \begin{itemize}
                \item Kaskpersky: \emph{Virus.Win32.Parite.b}
                \item McAfee: \emph{W32/Pate.b}
                \item Symantec: \emph{W32.Pinfi} 
                \item Trend Micro: \emph{PE\_PARITE.A}
            \end{itemize}
        \end{block}
    \end{column}
  \end{columns}
    \begin{block}{}
        \begin{itemize}
            \item SHA1: \emph{f30ad924a0d35b13d2057b1bb6305ad5a8ac8fa2}
            \item MD5: \emph{0af7b122bb722fb679c97fdb8cf85d23}
        \end{itemize}
    \end{block}
\end{frame}
